Senior Security Engineer

We’re looking for a hands‑on Security Engineer / Architect to help secure our systems, data, and funds across both traditional infrastructure and Web3.

You’ll work closely with IT, Infra, R&D, Web3, Product, and business teams to design practical security controls, lead security projects end‑to‑end, run offensive security exercises, and support ongoing security initiatives. This is a role for someone who is comfortable going from high‑level architecture to very concrete implementation details and automation.

• Design and implement security controls to protect sensitive data, financial assets, and critical systems, ensuring integrity, confidentiality, and availability.
• Evaluate, recommend, and lead the implementation of security solutions (tools, platforms, processes) in a hands‑on manner.
• Own security projects from inception to rollout, working closely with IT, Infrastructure, R&D, Web3 and other business units to ensure secure and timely delivery.
• Proactively identify and assess risks and vulnerabilities, and define/enforce mitigation strategies (technical and process).

• Plan and execute penetration tests and targeted assessments (applications, APIs, infrastructure, Web3 components) either directly or by coordinating external partners.
• Lead or support red teaming / adversarial simulations to test detection, response, and real‑world resiliency of critical workflows and infrastructure.
• Work with engineering teams on purple team style exercises: jointly validating detections, hardening controls, and improving runbooks.
• Own the technical side of the bug bounty / responsible disclosure process:
• Triage and validate incoming reports
• Coordinate with engineering owners
• Track remediation and communicate outcomes internally (and externally where needed)

• Build and maintain security automation: scripts, playbooks, and pipelines that reduce manual toil (e.g., auto‑enrichment of alerts, automated checks in CI/CD, policy‑as‑code).
• Integrate and tune SAST/DAST/SCA, IaC scanning, image scanning, and secrets scanning into CI/CD to catch issues early with minimal noise.
• Implement detection‑as‑code (e.g., for SIEM / logging platforms) and continuously refine alerts based on real incidents and red team learnings.

• Develop, refine, and maintain security policies, standards, and procedures, with a strong focus on data, funds, and access security.
• Contribute to day‑to‑day security operations and monitoring, including reviewing alerts, supporting incident response, and improving detection & response capabilities.
• Collaborate with stakeholders (IT, HR, Infra, R&D, Product, Trading, and other teams) to align security initiatives with business goals and product roadmaps.

• 5+ years of hands‑on experience in cybersecurity, with a proven track record designing and implementing security solutions, frameworks, and policies.
• Experience with security architecture, risk assessments, and vulnerability management in complex, fast‑paced environments.
• Demonstrated experience in at least one of:
• Penetration testing / offensive security (infra, apps, APIs, or Web3), or
• Running or working closely with red team / purple team engagements
• Experience triaging and managing security findings from scanners, pen tests, and bug bounty programs (HackerOne, Bugcrowd, self‑hosted, etc.).
• Demonstrated ability to deploy and administer IAM platforms (e.g., Okta or similar) and define robust access models (RBAC, SSO, MFA).
• Competence in configuring and managing EDR and MDM solutions across a diverse device and user base.
• Hands‑on experience with regulatory and compliance requirements relevant to financial institutions or crypto companies (e.g., SOC 2, ISO 27001:2022, NIST, CIS).
• Background working at Web3 / crypto companies (DeFi, trading platforms, digital asset custody/security, etc.) is highly advantageous.
• Comfort with at least one scripting / programming language (Python, Go, TypeScript, etc.) to build automations, integrations, and internal tools.

• Strong team player who enjoys working cross‑functionally with IT, HR, Infra, R&D, Product, Trading, and business stakeholders.
• Genuinely passionate about cybersecurity, offensive and defensive: enjoys thinking like an attacker but building like an engineer.
• Experience embedding security best practices into day‑to‑day workflows (development, infrastructure, operations) and driving automation over manual checks.
• Ability to articulate complex security concepts in clear, practical terms to both technical and non‑technical audiences.
• Values ownership, accountability, and clear communication, and is comfortable operating in a fast‑changing environment with high autonomy.

• Must‑have
• OSCP – we expect a deep, hands‑on understanding of offensive techniques, not just theory.

• Nice to have
• CISSP, CISM, or equivalent broad security leadership/architecture certifications.
• Relevant GIAC certs (e.g., GWAPT, GCPN, GSEC, GCLD, GCIA, GIAC Cloud / Web / Exploit tracks).
• Cloud security certifications (e.g., AWS Security Specialty, Azure Security Engineer, GCP Professional Cloud Security Engineer).
• Kubernetes / container security or general K8s certifications (CKS, CKA, etc.).